Establish Site-to-Site IPSec Connection using Preshared key
Applicable Version: 10.00 onwards
Overview IPSec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It is used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to- host).
Cyberoams IPSec VPN offers site-to-site VPN with cost-effective site-to-site remote connectivity, eliminating the need for expensive private remote access networks like leased lines, Asynchronous Transfer Mode (ATM) and Frame Relay. This article describes a detailed configuration example that demonstrates how to set up a site-to-site IPSec VPN connection between the two networks using preshared key to authenticate VPN peers. Scenario Configure a site-to-site IPSec VPN connection between Site A and Site B by following the steps given below. In this article, we have used the following parameters to create the VPN connection.
Network Parameters Local Network details Local Server (WAN IP address) 14.15.16.17 Local LAN address 10.5.6.0/24 Remote Network details Remote VPN server (WAN IP address) 22.23.24.25 Remote LAN Network 172.23.9.0/24
Site A Configuration The configuration is to be done from Site As Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s). Step 1: Create IPSec Connection To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
Parameter Description
Parameter Value Description Name SiteA_to_SiteB Name to identify the IPSec Connection Connection Type Site to Site Select Type of connection. Available Options: - Remote Access - Site to Site - Host to Host Policy DefaultHeadOffice Select policy to be used for connection Action on VPN Restart Respond Only Select the action for the connection. Available options: - Respond Only - Initiate - Disable Authentication details Authentication Type Preshared Key Select Authentication Type. Authentication of user depends on the connection type. Preshared Key 123456789 Preshared key should be the same as that configured in remote site. Endpoints Details Local PortB-14.15.16.17 Select local port which acts as end-point to the tunnel Remote 22.23.24.25 Specify IP address of the remote endpoint. Local Network Details Local Subnet 10.5.6.0/24 Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button Remote Network Details RemoteLAN Network 172.23.9.0/24 Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button
Click OK to create IPSec connection.
Step 2: Activate Connection On clicking OK, the following screen is displayed showing the connection created above.
Click under Status (Active) to activate the connection.
Site B Configuration
The configuration is to be done from Site Bs Cyberoam Web Admin Console using profile having read-write administrative rights for relevant feature(s). Step 1: Create IPSec Connection To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters.
Parameter Description
Parameter Value Description Name SiteB_to_SiteA Name to identify the IPSec Connection Connection Type Site to Site Select Type of connection. Available Options: - Remote Access - Site to Site - Host to Host Policy DefaultBranchOffice Select policy to be used for connection Action on VPN Restart Initiate Select the action for the connection. Available options: - Respond Only - Initiate - Disable Authentication details Authentication Type Preshared Key Select Authentication Type. Authentication of user depends on the connection type. Preshared Key 123456789 Preshared key should be the same as that configured in remote site. Endpoints Details Local PortB-22.23.24.25 Select local port which acts as end-point to the tunnel Remote 14.15.16.17 Specify IP address of the remote endpoint. Local Network Details Local Subnet 172.23.9.0/24 Select Local LAN Address. Add and Remove LAN Address using Add Button and Remove Button Remote Network Details Remote LAN Network 10.5.6.0/24 Select Remote LAN Address. Add and Remove LAN Address using Add Button and Remove Button
Step 2: Activate and Establish Connection On clicking OK, the following screen is displayed showing the connection created above.
Click under Status (Active) and Status (Connection).
The above configuration establishes an IPSec connection between Two (2) sites.
Note:
Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.
In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head Office acts as a responder due to following reasons: - Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the connection. - As there can be many Branch Offices, to reduce the load on Head Office it is a good practise that Branch Offices retries the connection instead of the Head Office retrying all the branch office connections.
Allow download of specific file types from selected website(s) only Applicable to Version: 10.00 onwards
Scenario
Allow file type categories like .mpeg, .mp3, .exe for website www.example.com, while blocking the file types for other websites.
Prerequisite
Web and Application Filter Module Subscribed.
Configuration You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s). Step 1: Create a Custom Web Category Create a Custom Web Category to add the required URL: www.example.com. To create a web category, go to Web Filter > Category > Category and click Add to create a new category. Specify the category parameters along with the Domain value aswww.example.com, refer screen below.
Click OK and the Custom Web Category AllowFileDownload will be created successfully.
Step 2: Create Web Filter Policy Go to Web Filter > Policy >Policy and click Add to create a new Web Filter Policy named Example_Custom as shown in the diagram below.
Click OK and the Web Filter Policy Example_Custom will be created successfully. Step 3: Configure Rules for Web Filter Policy Select the Policy Example_Custom created inStep 2 and click Add to add the Web Filter Policy Rules.
Specify Web Filter Policy Rules as shown in the table below.
Rule 1 Here file type categories like .mpeg, .mp3, .exe are blocked for all the sites. Parameter Value Description Category Type File Type Select Category Type for which the rule is to be added. Category Video Files, Audio Files, Executable Files Select the Categories which you want to deny for all the sites. HTTP and HTTPS Action Deny Select HTTP and HTTPS action. Schedule All the time Select the Schedule for categories selected.
Click Add and the Web Filter Policy Rule will be added successfully. Rule 2 Here file type categories like .mpeg, .mp3, .exe are blocked for all the sites, but all these file types are allowed for www.example.com. Parameters Value Description Category Type Web Category Select Web Category from the list of available categories. Category AllowFileDownload Select the CategoryAllowFileDownloadcreated inStep 1. HTTP and HTTPs Action Allow Select HTTP and HTTPS action. Schedule All the Time Select the Schedule for categories selected.
Click Add and the Web Filter Policy Rule will be added successfully.
Note: AllowFileDownload Category should be on top as rules are executed in top to bottom sequence. Step 4: Apply Policy to Firewall Rule or User/User Group Firewall Rule You can apply the policy through a Firewall Rule such that it is applied on all traffic that hits on that rule. To create a Firewall Rule, go toFirewall > Rule > IPv4 Rule and click Add. As shown below, apply the Policy created in Step 1.
Click OK to apply the Firewall Rule. User/User Group You can apply the rule to individual users or user groups. Here, as an example we have applied the rule on a user named John Smith. To apply the policy on an individual user, go to Identity > Users > Users and select the user on whom policy is to be applied, i.e., John Smith. As shown below, apply the Policy created in Step 1.
Click OK to apply policy on the user.
Configure Gateway Load Balancing and Failover Applicable to Version: 10.00 onwards Overview Today organizations require stable, redundant and fast ISP links to run business critical applications. To achieve constant and secure availability to the Internet and to avoid network vulnerability, organizations prefer to have multiple ISP links. Multiple ISP links provisions network administrator to configure failover and load balancing over Internet links. Cyberoam supports Load Balancing and Failover for multiple ISP links based on number of WAN ports available in the Appliance. You can terminate multiple ISP links on available physical interfaces of Cyberoam in the form of Gateways. A Gateway can be configured as an Active or a Backup Gateway. The Gateways can be setup in Two (2) ways: Active-Active: Here, all Gateways are in Active State and traffic is Load Balanced between all Active Gateways. By default, Cyberoam adds a new gateway as an Active Gateway. Hence, Load Balancing is automatically enabled between the existing and newly added links. Cyberoam employs weighted round robin algorithm for load balancing to enable maximum utilization of capacities across the various links. Active-Backup: Here, One (1) or more Gateways are configured as Backup. This setup allows Administrator to configure Gateway Failover if any active gateway goes down.
Note:
Load Balancing and Failover is supported both for IPv4 and IPv6 traffic. The Load Balancing or Failover can be done between Two (2) IPv4 gateways or Two (2) IPv6 gateways. Scenario Consider the hypothetical network in which one ISP link is terminated on Port B and Administrator wants to terminate another ISP link on Port D.
IP Schema Below given IP schema is configured on Cyberoam.
Parameters Value Port A IP Address 10.10.1.1 Subnet Mask 255.255.255.0 Zone LAN Port B IP Address 172.16.16.1 Subnet Mask 255.252.240.0 Zone WAN Gateway Details ISP Name Default IP Address 172.16.16.15 Port C IP Address 10.10.10.1 Subnet Mask 255.255.255.0 Zone DMZ Port D Port D is an unbound port so zone type for port D is set to N/A DNS Configuration Primary DNS 4.2.2.2 This article is divided into the following Three (3) sections: - Add a New Gateway - Configure Load Balancing - Configure Gateway Failover Prerequisites An unbound physical port should be available on Cyberoam. An unbound port is one, which is not assigned to any security zone. Add a New Gateway You must be logged on to the Web Admin Console as an administrator with Read-Write permission for relevant feature(s). To add a gateway, go to Network > Interface > Interface and configure an unbound physical port according to parameters given below. Here, as an example, we have configured Port D.
Parameters Value Description General Settings Physical Interface PortD Physical Interface for example, Port A, Port B Network Zone WAN Select Zone to which Interface belongs. IP Assignment Static Select IP Assignment type.
Available Options: Static: Static IP Addresses are available for all the zones. PPPoE: PPPoE is available only for WAN Zone. If PPPoE is configured, WAN port is displayed as the PPPoE Interface. DHCP:DHCP is available only for WAN Zone.
IP Address 10.10.2.1 Specify IP Address. Subnet Mask /24 (255.255.255.0) Specify Network Subnet mask. Primary DNS 203.88.135.194 Specify Primary DNS Server IP Address. Secondary DNS 4.2.2.2 Specify Secondary DNS Server IP Address. Gateway Details Gateway Name PortD_Gateway Specify Gateway Name IP Address 10.10.2.19 Specify IP Address of Gateway
Click OK to update the interface. On updating the interface, the gateway is added to the list of Gateways in Network > Gateway > Gateway. Configure Load Balancing Cyberoam allows Load Balancing between 2 or more Active-Active Gateways. By default, Cyberoam adds a new gateway as an Active Gateway. Hence, Load Balancing is automatically enabled between the existing and newly added links. Weighted Round Robin algorithm is used for load balancing wherein each link is assigned a weight. The traffic that Cyberoam distributes among the links is in proportion to the weight assigned to them. To assign weight to a Link, go to Network > Gateway > Gateway and select the required Gateway.
Mention the Weight, as shown below and click OK.
Configure Gateway Failover Cyberoam allows Gateway Failover both in Active-Active and Active Backup setup. In an Active-Active setup, if any one of the active gateways fails, the traffic is redirected to another active gateway. Administrator can specify Failover Conditions to indicate how the failed gateway is to be detected. In Active-Backup setup, one or more of the gateways are configured as backup gateway. If an Active Gateway fails, the traffic can be redirected to a backup gateway, ensuring Internet continuity. Configure Backup Gateway You can configure a gateway as a Backup gateway by following steps below. 1. Go to Network > Gateway > Gateway and select the required Gateway.
2. Select Gateway Type as Backup and configure Backup Gateway Details as shown below.
Click OK to save changes.
This setup indicates if any Active Gateway Fails, PortD_Gateway would get activated and would inherit the weight of the failed gateway. Configure Failover Condition By default, on adding a gateway, Cyberoam adds a Failover Rule indicating that if Cyberoam is not able to PING the gateway, it would be considered down, as shown below.
Click Add to add another rule, or Edit to change the existing rule. Here, as an example, we have added a Rule that indicates that if Cyberoam is not able to PING the Gateway 172.16.16.15 and establish a TCP connection on port 80 with 4.2.2.2, the gateway will be considered down.
Click OK to save the Gateway Failure Rule. During a link failure, Cyberoam regularly checks the health of a given connection, assuring fast reconnection when Internet service is restored. When the connection is restored and gateway is up again, traffic is rerouted through the Active gateway automatically.
Configure Email Notification
Applicable Version: 10.00 onwards
Overview
Cyberoam allows configuration of Email notifications for certain system-generated events and reports (as specified by administrator). Such Email notifications can be configured to inform administrator about:
- Change in gateway status - Change in HA (high availability) link status (if HA cluster is configured) - Change in State of IPSec Tunnel(s) - Various reports (customizable)
Scenario Configure Email Notifications in Cyberoam.
Configuration The entire configuration is to be done from the Web Admin Console of Cyberoam. Configuration requires read-write administrative permission for the relevant features. Step 1: Configure Mail Server Settings Configuring Mail Server Settings enables administrator to receive Email notifications for system- generated events like change in gateway status, change in HA link status and change in state of IPSec Tunnel. Configure Mail Server by going to System > Configuration > Notification and setting parameters as shown below.
Parameters Value Description Mail Server Settings Mail Server IP Address/FQDN - Port 172.16.16.24 - 25 Configure your Mail Server IP Address and port Authentication Required Enabled If Enabled, specify authentication parameters i.e. username and password Email Setting From Email Address admin@cyberoam.com Specify the email addresses from which the notification is to be sent. Send Notifications to Email Address john.smith@cyberoam.com Specify the email address to which the notification is to be sent.
Click Test Mail to check Mail Server Configuration. If test mail is delivered successfully, click Apply to save configuration.
Step 2: Configure Email notification for reports You can configure daily or weekly Email notification for the following report groups - Web Usage, Mail Usage, FTP Usage, Blocked Web Attempts, Attacks, Spam, Virus, Event, Search Engine, IM Usage, Blocked IM Attempts, Internet Usage, VPN, SSL VPN, Denied SSL VPN Attempts, Blocked Applications, Applications. Configure Report Notifications by following steps given below. Go to Logs & Reports > View Reports or click Reports Tab available on Icon Bar on the upper rightmost corner of every page to access On-Appliance iView.
In iView, go to System > Configuration > Report Notification and click Add to add report notification. Here, as an example, we have configured a daily Email Notification for Search Engine Reports.
Parameters Value Description Name Search_Engine_Report Specify report notification name To Email Address admin@cyberoam.com Specify Email address of the recipient Report Group Search Engine Select report category from the Report Group drop down list Email Frequency Daily at 11 hours Set Email Frequency
Click Add to add a new notification.
With above configuration, all the Search Engine reports will be mailed everyday at 10 am.